VYPR
Get started
← All advisories
Critical severity9.8NVD Advisory· Published Sep 26, 2016· Updated May 6, 2026

CVE-2016-4972

CVE-2016-4972

Description

OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
muranoPyPI
< 1.0.31.0.3
murano-dashboardPyPI
< 1.0.31.0.3
murano-dashboardPyPI
>= 2.0.0, < 2.0.12.0.1
python-muranoclientPyPI
< 0.7.30.7.3
python-muranoclientPyPI
>= 0.8.0, < 0.8.50.8.5

Patches

1
28de8c36c9db

Use SafeLoader to load yaml files

https://github.com/openstack/muranoKirill ZaitsevMay 26, 2016via ghsa
commit
4 files changed · +14 5
  • murano/engine/yaql_yaml_loader.py+3 3 modified
    @@ -43,15 +43,15 @@ def build_position(node):
                 node.end_mark.line + 1,
                 node.end_mark.column + 1)
 
-        class MuranoPlYamlConstructor(yaml.constructor.Constructor):
+        class MuranoPlYamlConstructor(yaml.constructor.SafeConstructor):
             def construct_yaml_map(self, node):
                 data = MuranoPlDict()
                 data.source_file_position = build_position(node)
                 yield data
                 value = self.construct_mapping(node)
                 data.update(value)
 
-        class YaqlYamlLoader(yaml.Loader, MuranoPlYamlConstructor):
+        class YaqlYamlLoader(yaml.SafeLoader, MuranoPlYamlConstructor):
             pass
 
         YaqlYamlLoader.add_constructor(
@@ -60,7 +60,7 @@ class YaqlYamlLoader(yaml.Loader, MuranoPlYamlConstructor):
 
         # workaround for PyYAML bug: http://pyyaml.org/ticket/221
         resolvers = {}
-        for k, v in yaml.Loader.yaml_implicit_resolvers.items():
+        for k, v in yaml.SafeLoader.yaml_implicit_resolvers.items():
             resolvers[k] = v[:]
         YaqlYamlLoader.yaml_implicit_resolvers = resolvers
  • murano/tests/functional/common/utils.py+1 1 modified
    @@ -249,7 +249,7 @@ def _convert_service(cls, service):
         """
         component = service.to_dict()
         component = json.dumps(component)
-        return yaml.load(component)
+        return yaml.safe_load(component)
 
     @classmethod
     def get_service_id(cls, service):
  • murano/tests/unit/policy/test_congress_rules.py+1 1 modified
    @@ -87,7 +87,7 @@ def _load_file(self, file_name):
             os.path.dirname(inspect.getfile(self.__class__)), file_name)
 
         with open(model_file) as stream:
-            return yaml.load(stream)
+            return yaml.safe_load(stream)
 
     def _create_rules_str(self, model_file, package_loader=None):
         model = self._load_file(model_file)
  • releasenotes/notes/safeloader-cve-2016-4972-19035a2a091ec30a.yaml+9 0 added
    @@ -0,0 +1,9 @@
+---
+security:
+  - cve-2016-4972 has been addressed. In ceveral places
+    Murano used loaders inherited directly from yaml.Loader
+    when parsing MuranoPL and UI files from packages.
+    This is unsafe, because this loader is capable of creating
+    custom python objects from specifically constructed
+    yaml files. With this change all yaml loading operations are done
+    using safe loaders instead.

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.